Bitsight SPM
Overview
Bitsight Security Performance Management enables organizations to continuously monitor, measure, and improve their cybersecurity performance by providing actionable insights and metrics on security posture and risk.
- Vendor: BitSight Technologies
- Supported environment: SaaS
- Detection based on: Alert
Warning
Important note - This format is currently in beta. We highly value your feedback to improve its performance.
Supported events
This integration supports the following events:
- Findings (with vulnerability detail and asset detail)
Configure
This setup guide will show you how to provide an integration between Bitsight SPM and Sekoia.io.
Generate the API token
To collect the events from the Cato Networks platform, an API token is required:
- Make sure the Bitsight user used for the integration has at least Reader permissions.
- Log in to Bitsight Security Ratings Platform
- Go to
Settings
->Account
->API Token
->Generate New Token (API Key)
-
Create new API Token
Create an intake
- Go to the intake page and create a new intake from the format
Bitsight SPM
. - Set up the intake configuration with the Api Token and Company UUIds.
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
{
"temporary_id": "11111111111111",
"affects_rating": true,
"details": {
"cvss": {
"base": []
},
"check_pass": "",
"diligence_annotations": {
"modal_data": {
"type": "overridden",
"reason": "Software version in extended support"
},
"modal_tags": {
"Type": "MS IIS",
"Version": "7.5"
},
"server": "MS IIS",
"version": "7.5"
},
"geo_ip_location": "test",
"country": "test country",
"grade": "BAD",
"observed_ips": [
"1.2.3.4"
],
"port_list": [
80,
81,
8443,
8880
],
"remediations": [
{
"message": "Software version in extended support",
"help_text": "The software version is outside mainstream support and is currently in extended support.",
"remediation_tip": "Ensure the latest version of the software is installed. See <a href=\"https://help.bitsight.com/hc/en-us/articles/360010346733-Supported-Server-Software\">supported versions</a>."
}
],
"sample_timestamp": "2024-06-29T21:02:18Z",
"dest_port": 80,
"rollup_end_date": "2024-06-29",
"rollup_start_date": "2023-10-04",
"searchable_details": "Software version in extended support,MS IIS,7.5"
},
"evidence_key": "1.2.3.4",
"first_seen": "2023-10-04",
"last_seen": "2024-06-29",
"related_findings": [],
"risk_category": "Diligence",
"risk_vector": "server_software",
"risk_vector_label": "Server Software",
"rolledup_observation_id": "11111111111",
"severity": 8.0,
"severity_category": "material",
"tags": [],
"remediation_history": {
"last_requested_refresh_date": null,
"last_refresh_status_date": null,
"last_refresh_status_label": null,
"last_refresh_reason_code": null
},
"asset_overrides": [],
"duration": null,
"comments": "User from Test, Inc. said: \"Test assignments\" at 2023-11-28 12:27 UTC",
"remaining_decay": 57,
"remediated": null,
"impacts_risk_vector_details": "AFFECTS_RATING",
"company_uuid": "111111111111111",
"asset": {
"asset": "1.2.3.4",
"identifier": null,
"category": "critical",
"importance": 0.49,
"is_ip": true,
"asset_type": "IP"
}
}
{
"temporary_id": "11111111111111111",
"affects_rating": true,
"details": {
"cvss": {
"base": []
},
"check_pass": "",
"diligence_annotations": {
"message": "Detected service: HTTP",
"CPE": [
"a:amazon:amazon_cloudfront"
],
"Tags": [],
"Product": "CloudFront httpd",
"Title": "ERROR: The request could not be satisfied",
"transport": "tcp",
"Status": "HTTP/1.1 400 Bad Request",
"Server": "CloudFront"
},
"final_location": "http://1.2.3.4:12/",
"geo_ip_location": "Location",
"country": "Country",
"grade": "NEUTRAL",
"remediations": [
{
"message": "Detected service: HTTP",
"help_text": "This port was observed running HTTP, which used for sending and receiving Internet traffic.",
"remediation_tip": ""
}
],
"sample_timestamp": "2024-06-29T08:37:25Z",
"dest_port": 443,
"rollup_end_date": "2024-06-29",
"rollup_start_date": "2024-02-13",
"searchable_details": "Detected service: HTTP,tcp,CloudFront httpd"
},
"evidence_key": "143.204.213.175:443",
"first_seen": "2024-02-13",
"last_seen": "2024-06-29",
"related_findings": [],
"risk_category": "Diligence",
"risk_vector": "open_ports",
"risk_vector_label": "Open Ports",
"rolledup_observation_id": "1222222222222",
"severity": 1.0,
"severity_category": "minor",
"tags": [],
"remediation_history": {
"last_requested_refresh_date": null,
"last_refresh_status_date": null,
"last_refresh_status_label": null,
"last_refresh_reason_code": null
},
"asset_overrides": [],
"duration": null,
"comments": null,
"remaining_decay": 57,
"remediated": null,
"impacts_risk_vector_details": "AFFECTS_RATING",
"company_uuid": "1111111111111111111111111111",
"asset": {
"asset": "1.2.3.4",
"identifier": null,
"category": "low",
"importance": 0.0,
"is_ip": true,
"asset_type": "IP"
}
}
{
"temporary_id": "11111111111111",
"affects_rating": true,
"details": {
"cvss": {
"base": []
},
"check_pass": "",
"diligence_annotations": {
"message": "Allows insecure protocol: TLSv1.0, Allows insecure protocol: TLSv1.1",
"certchain": [
{
"dnsName": [
"*.test.test",
"test.test"
],
"endDate": "2025-05-15 23:59:59",
"issuerName": "C=TestC,O=TestO,CN=TestCN RSA Domain Validation Secure Server CA 3",
"keyAlgorithm": "RSA",
"keyLength": 2048,
"serialNumber": "111111111111111111111111",
"signatureAlgorithm": "SHA384WITHRSA",
"startDate": "2024-05-07 00:00:00",
"subjectName": "CN=*.test.test"
},
{
"dnsName": [],
"endDate": "2033-08-01 23:59:59",
"issuerName": "C=TestC,ST=TestST,L=TestL,O=TestO,CN=TestCN RSA Certification Authority",
"keyAlgorithm": "RSA",
"keyLength": 3072,
"serialNumber": "1111111111111111111111111111",
"signatureAlgorithm": "SHA384WITHRSA",
"startDate": "2023-08-02 00:00:00",
"subjectName": "C=TestC,O=TestO,CN=TestCN RSA Domain Validation Secure Server CA 3"
}
]
},
"final_location": "https://1.2.3.4/",
"geo_ip_location": "Test",
"country": "Test country",
"grade": "BAD",
"observed_ips": [
"1.2.3.4:443"
],
"remediations": [
{
"message": "Allows insecure protocol: TLSv1.0",
"help_text": "TLS version 1.0 has been deprecated.",
"remediation_tip": "Disable TLS 1.0. See our <a href=\"https://help.bitsight.com/hc/en-us/articles/9176707227031-TLS-SSL-Finding-Remediation-Remediation-Verification\">guide for remediating TLS/SSL Configuration findings</a>."
},
{
"message": "Allows insecure protocol: TLSv1.1",
"help_text": "TLS version 1.1 has been deprecated.",
"remediation_tip": "Disable TLS 1.1. See our <a href=\"https://help.bitsight.com/hc/en-us/articles/9176707227031-TLS-SSL-Finding-Remediation-Remediation-Verification\">guide on verifying TLS is disabled</a>."
}
],
"sample_timestamp": "2024-06-29T00:49:11Z",
"dest_port": 443,
"rollup_end_date": "2024-06-29",
"rollup_start_date": "2024-06-20",
"searchable_details": "test details"
},
"evidence_key": "18.134.200.62:443",
"first_seen": "2024-06-20",
"last_seen": "2024-06-29",
"related_findings": [],
"risk_category": "Diligence",
"risk_vector": "ssl_configurations",
"risk_vector_label": "SSL Configurations",
"rolledup_observation_id": "122222222222222222",
"severity": 10.0,
"severity_category": "severe",
"tags": [],
"remediation_history": {
"last_requested_refresh_date": null,
"last_refresh_status_date": null,
"last_refresh_status_label": null,
"last_refresh_reason_code": null
},
"asset_overrides": [],
"duration": null,
"comments": null,
"remaining_decay": 57,
"remediated": null,
"impacts_risk_vector_details": "AFFECTS_RATING",
"company_uuid": "11111111111111111111111111111",
"asset": {
"asset": "1.2.3.4",
"identifier": null,
"category": "low",
"importance": 0.0,
"is_ip": true,
"asset_type": "IP"
}
}
{
"temporary_id": "11111111111111111111111111111111",
"affects_rating": true,
"details": {
"cvss": {
"base": []
},
"check_pass": "",
"diligence_annotations": {
"message": "Detected service: HTTPS",
"CPE": [
"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*"
],
"Tags": [],
"Title": "Service",
"transport": "tcp",
"Status": "HTTP/1.1 200 OK",
"Server": "Microsoft-HTTPAPI/2.0"
},
"final_location": "https://1.2.3.4:8086/",
"geo_ip_location": "Test",
"country": "TestCountry",
"grade": "GOOD",
"remediations": [
{
"message": "Detected service: HTTPS",
"help_text": "This port was observed running Hypertext Transfer Protocol Secure (HTTPS), which is used for sending and receiving secure internet traffic.",
"remediation_tip": ""
}
],
"sample_timestamp": "2024-06-29T11:52:03Z",
"dest_port": 8086,
"rollup_end_date": "2024-06-29",
"rollup_start_date": "2023-05-13",
"searchable_details": "Detected service: HTTPS,tcp"
},
"evidence_key": "1.2.3.4:8086",
"first_seen": "2023-05-13",
"last_seen": "2024-06-29",
"related_findings": [],
"risk_category": "Diligence",
"risk_vector": "open_ports",
"risk_vector_label": "Open Ports",
"rolledup_observation_id": "1123123123123123123",
"severity": 1.0,
"severity_category": "minor",
"tags": [],
"remediation_history": {
"last_requested_refresh_date": null,
"last_refresh_status_date": null,
"last_refresh_status_label": null,
"last_refresh_reason_code": null
},
"asset_overrides": [],
"duration": null,
"comments": null,
"remaining_decay": 57,
"remediated": null,
"impacts_risk_vector_details": "AFFECTS_RATING",
"company_uuid": "1111111111111111111111111",
"asset": {
"asset": "1.2.3.4",
"identifier": null,
"category": "low",
"importance": 0.0,
"is_ip": true,
"asset_type": "IP"
}
}
{
"temporary_id": "1111111111111111111111111111111111111111111111111111&",
"affects_rating": false,
"asset": {
"asset": "1.2.3.4",
"identifier": null,
"category": "low",
"importance": 0,
"is_ip": true,
"asset_type": "Domain"
},
"vulnerability": {
"name": "CVE-2014-3566",
"alias": "POODLE",
"display_name": "POODLE",
"description": "The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).",
"remediation_tip": "Ensure all of your TLS/SSL libraries on the affected machines are up-to-date. Disable SSLv3 support on those servers, as described in <a target=\"new\" href=\"https://disablessl3.com/\">Disable SSLv3</a>.",
"confidence": "HIGH",
"cvss": {
"base": 3.4
},
"severity": "Minor"
},
"company_uuid": "399e55d6-eab2-438d-84cd-fb0d0b967fcd",
"details": {
"cvss": {
"base": [
3.4
]
},
"check_pass": "",
"diligence_annotations": {
"remediation_dates": [
{
"first": "2022-08-14 21:04:42",
"last": "2022-08-14 21:04:42"
}
],
"is_remediated": true
},
"remediations": [
{
"message": "CVE-2014-3566 (POODLE)",
"help_text": "The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).",
"remediation_tip": "Ensure all of your TLS/SSL libraries on the affected machines are up-to-date. Disable SSLv3 support on those servers, as described in <a target=\"new\" href=\"https://disablessl3.com/\">Disable SSLv3</a>."
}
],
"rollup_end_date": "2022-08-14",
"rollup_start_date": "2022-08-14",
"searchable_details": "CVE-2014-3566"
},
"evidence_key": "1.2.3.4:443",
"first_seen": "2022-08-14",
"last_seen": "2022-08-14",
"related_findings": [],
"risk_category": "Diligence",
"risk_vector": "patching_cadence",
"risk_vector_label": "Patching Cadence",
"rolledup_observation_id": "ZxFoXXsV3gvZS0t0oTmxcA==",
"severity": 4.3,
"severity_category": "moderate",
"tags": [],
"remediation_history": {
"last_requested_refresh_date": null,
"last_refresh_status_date": null,
"last_refresh_status_label": null,
"last_refresh_reason_code": null
},
"asset_overrides": [],
"duration": "1 day",
"comments": null,
"remaining_decay": null,
"remediated": true,
"impacts_risk_vector_details": "LIFETIME_EXPIRED"
}
{
"temporary_id": "1111111111111111111111111111111111111111111111111111&",
"affects_rating": false,
"asset": {
"asset": "1.2.3.4",
"identifier": null,
"category": "low",
"importance": 0,
"is_ip": true,
"asset_type": "IP"
},
"vulnerability": {
"name": "CVE-2014-3566",
"alias": "POODLE",
"display_name": "POODLE",
"description": "The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).",
"remediation_tip": "Ensure all of your TLS/SSL libraries on the affected machines are up-to-date. Disable SSLv3 support on those servers, as described in <a target=\"new\" href=\"https://disablessl3.com/\">Disable SSLv3</a>.",
"confidence": "HIGH",
"cvss": {
"base": 3.4
},
"severity": "Minor"
},
"company_uuid": "399e55d6-eab2-438d-84cd-fb0d0b967fcd",
"details": {
"cvss": {
"base": [
3.4
]
},
"check_pass": "",
"diligence_annotations": {
"remediation_dates": [
{
"first": "2022-08-14 21:04:42",
"last": "2022-08-14 21:04:42"
}
],
"is_remediated": true
},
"remediations": [
{
"message": "CVE-2014-3566 (POODLE)",
"help_text": "The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).",
"remediation_tip": "Ensure all of your TLS/SSL libraries on the affected machines are up-to-date. Disable SSLv3 support on those servers, as described in <a target=\"new\" href=\"https://disablessl3.com/\">Disable SSLv3</a>."
}
],
"rollup_end_date": "2022-08-14",
"rollup_start_date": "2022-08-14",
"searchable_details": "CVE-2014-3566"
},
"evidence_key": "1.2.3.4:443",
"first_seen": "2022-08-14",
"last_seen": "2022-08-14",
"related_findings": [],
"risk_category": "Diligence",
"risk_vector": "patching_cadence",
"risk_vector_label": "Patching Cadence",
"rolledup_observation_id": "ZxFoXXsV3gvZS0t0oTmxcA==",
"severity": 4.3,
"severity_category": "moderate",
"tags": [],
"remediation_history": {
"last_requested_refresh_date": null,
"last_refresh_status_date": null,
"last_refresh_status_label": null,
"last_refresh_reason_code": null
},
"asset_overrides": [],
"duration": "1 day",
"comments": null,
"remaining_decay": null,
"remediated": true,
"impacts_risk_vector_details": "LIFETIME_EXPIRED"
}
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake Bitsight SPM [BETA]. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x Bitsight SPM [BETA] on ATT&CK Navigator
Bazar Loader DGA (Domain Generation Algorithm)
Detects Bazar Loader domains based on the Bazar Loader DGA
- Effort: elementary
Bitsight SPM Material Vulnerability
Bitsight SPM has raised a material vulnerability finding
- Effort: master
Bitsight SPM Minor Vulnerability
Bitsight SPM has raised a minor vulnerability finding
- Effort: master
Bitsight SPM Moderate Vulnerability
Bitsight SPM has raised a moderate vulnerability finding
- Effort: master
Bitsight SPM Severe Vulnerability
Bitsight SPM has raised a severe vulnerability finding
- Effort: master
Cryptomining
Detection of domain names potentially related to cryptomining activities.
- Effort: master
Dynamic DNS Contacted
Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.
- Effort: master
EvilProxy Phishing Domain
Detects subdomains potentially generated by the EvilProxy adversary-in-the-middle phishing platform. Inspect the other subdomains of the domain to identify the landing page, and determine if the user submitted credentials. This rule has a small percentage of false positives on legitimate domains.
- Effort: intermediate
Exfiltration Domain
Detects traffic toward a domain flagged as a possible exfiltration vector.
- Effort: master
Remote Access Tool Domain
Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).
- Effort: master
Sekoia.io EICAR Detection
Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.
- Effort: master
TOR Usage Generic Rule
Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
- Effort: master
Event Categories
The following table lists the data source offered by this integration.
Data Source | Description |
---|---|
Application logs |
None |
Process monitoring |
None |
Web logs |
None |
In details, the following table denotes the type of events produced by this integration.
Name | Values |
---|---|
Kind | `` |
Category | vulnerability |
Type | info |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\"temporary_id\":\"11111111111111\",\"affects_rating\":true,\"details\":{\"cvss\":{\"base\":[]},\"check_pass\":\"\",\"diligence_annotations\":{\"modal_data\":{\"type\":\"overridden\",\"reason\":\"Software version in extended support\"},\"modal_tags\":{\"Type\":\"MS IIS\",\"Version\":\"7.5\"},\"server\":\"MS IIS\",\"version\":\"7.5\"},\"geo_ip_location\":\"test\",\"country\":\"test country\",\"grade\":\"BAD\",\"observed_ips\":[\"1.2.3.4\"],\"port_list\":[80,81,8443,8880],\"remediations\":[{\"message\":\"Software version in extended support\",\"help_text\":\"The software version is outside mainstream support and is currently in extended support.\",\"remediation_tip\":\"Ensure the latest version of the software is installed. See <a href=\\\"https://help.bitsight.com/hc/en-us/articles/360010346733-Supported-Server-Software\\\">supported versions</a>.\"}],\"sample_timestamp\":\"2024-06-29T21:02:18Z\",\"dest_port\":80,\"rollup_end_date\":\"2024-06-29\",\"rollup_start_date\":\"2023-10-04\",\"searchable_details\":\"Software version in extended support,MS IIS,7.5\"},\"evidence_key\":\"1.2.3.4\",\"first_seen\":\"2023-10-04\",\"last_seen\":\"2024-06-29\",\"related_findings\":[],\"risk_category\":\"Diligence\",\"risk_vector\":\"server_software\",\"risk_vector_label\":\"Server Software\",\"rolledup_observation_id\":\"11111111111\",\"severity\":8.0,\"severity_category\":\"material\",\"tags\":[],\"remediation_history\":{\"last_requested_refresh_date\":null,\"last_refresh_status_date\":null,\"last_refresh_status_label\":null,\"last_refresh_reason_code\":null},\"asset_overrides\":[],\"duration\":null,\"comments\":\"User from Test, Inc. said: \\\"Test assignments\\\" at 2023-11-28 12:27 UTC\",\"remaining_decay\":57,\"remediated\":null,\"impacts_risk_vector_details\":\"AFFECTS_RATING\",\"company_uuid\":\"111111111111111\",\"asset\":{\"asset\":\"1.2.3.4\",\"identifier\":null,\"category\":\"critical\",\"importance\":0.49,\"is_ip\":true,\"asset_type\":\"IP\"}}",
"event": {
"category": "vulnerability",
"end": "2024-06-29T00:00:00Z",
"start": "2023-10-04T00:00:00Z",
"type": "info"
},
"@timestamp": "2024-06-29T00:00:00Z",
"bitsight": {
"spm": {
"impacts_risk_vector_details": "AFFECTS_RATING",
"risk_category": "Diligence",
"risk_vector": "server_software",
"risk_vector_label": "Server Software",
"severity": "8.0",
"severity_category": "material",
"temporary_id": "11111111111111"
}
},
"host": {
"ip": [
"1.2.3.4"
]
},
"observer": {
"product": "Security Performance Management",
"vendor": "BitSight"
},
"organization": {
"id": "111111111111111"
},
"related": {
"ip": [
"1.2.3.4"
]
}
}
{
"message": "{\n \"temporary_id\": \"11111111111111111\",\n \"affects_rating\": true,\n \"details\": {\n \"cvss\": {\n \"base\": [\n \n ]\n },\n \"check_pass\": \"\",\n \"diligence_annotations\": {\n \"message\": \"Detected service: HTTP\",\n \"CPE\": [\n \"a:amazon:amazon_cloudfront\"\n ],\n \"Tags\": [\n \n ],\n \"Product\": \"CloudFront httpd\",\n \"Title\": \"ERROR: The request could not be satisfied\",\n \"transport\": \"tcp\",\n \"Status\": \"HTTP/1.1 400 Bad Request\",\n \"Server\": \"CloudFront\"\n },\n \"final_location\": \"http://1.2.3.4:12/\",\n \"geo_ip_location\": \"Location\",\n \"country\": \"Country\",\n \"grade\": \"NEUTRAL\",\n \"remediations\": [\n {\n \"message\": \"Detected service: HTTP\",\n \"help_text\": \"This port was observed running HTTP, which used for sending and receiving Internet traffic.\",\n \"remediation_tip\": \"\"\n }\n ],\n \"sample_timestamp\": \"2024-06-29T08:37:25Z\",\n \"dest_port\": 443,\n \"rollup_end_date\": \"2024-06-29\",\n \"rollup_start_date\": \"2024-02-13\",\n \"searchable_details\": \"Detected service: HTTP,tcp,CloudFront httpd\"\n },\n \"evidence_key\": \"143.204.213.175:443\",\n \"first_seen\": \"2024-02-13\",\n \"last_seen\": \"2024-06-29\",\n \"related_findings\": [\n \n ],\n \"risk_category\": \"Diligence\",\n \"risk_vector\": \"open_ports\",\n \"risk_vector_label\": \"Open Ports\",\n \"rolledup_observation_id\": \"1222222222222\",\n \"severity\": 1.0,\n \"severity_category\": \"minor\",\n \"tags\": [\n \n ],\n \"remediation_history\": {\n \"last_requested_refresh_date\": null,\n \"last_refresh_status_date\": null,\n \"last_refresh_status_label\": null,\n \"last_refresh_reason_code\": null\n },\n \"asset_overrides\": [\n \n ],\n \"duration\": null,\n \"comments\": null,\n \"remaining_decay\": 57,\n \"remediated\": null,\n \"impacts_risk_vector_details\": \"AFFECTS_RATING\",\n \"company_uuid\": \"1111111111111111111111111111\",\n \"asset\": {\n \"asset\": \"1.2.3.4\",\n \"identifier\": null,\n \"category\": \"low\",\n \"importance\": 0.0,\n \"is_ip\": true,\n \"asset_type\": \"IP\"\n }\n}",
"event": {
"category": "vulnerability",
"end": "2024-06-29T00:00:00Z",
"start": "2024-02-13T00:00:00Z",
"type": "info"
},
"@timestamp": "2024-06-29T00:00:00Z",
"bitsight": {
"spm": {
"impacts_risk_vector_details": "AFFECTS_RATING",
"risk_category": "Diligence",
"risk_vector": "open_ports",
"risk_vector_label": "Open Ports",
"severity": "1.0",
"severity_category": "minor",
"temporary_id": "11111111111111111"
}
},
"host": {
"ip": [
"1.2.3.4"
]
},
"observer": {
"product": "Security Performance Management",
"vendor": "BitSight"
},
"organization": {
"id": "1111111111111111111111111111"
},
"related": {
"ip": [
"1.2.3.4"
]
}
}
{
"message": "{\n \"temporary_id\": \"11111111111111\",\n \"affects_rating\": true,\n \"details\": {\n \"cvss\": {\n \"base\": [\n \n ]\n },\n \"check_pass\": \"\",\n \"diligence_annotations\": {\n \"message\": \"Allows insecure protocol: TLSv1.0, Allows insecure protocol: TLSv1.1\",\n \"certchain\": [\n {\n \"dnsName\": [\n \"*.test.test\",\n \"test.test\"\n ],\n \"endDate\": \"2025-05-15 23:59:59\",\n \"issuerName\": \"C=TestC,O=TestO,CN=TestCN RSA Domain Validation Secure Server CA 3\",\n \"keyAlgorithm\": \"RSA\",\n \"keyLength\": 2048,\n \"serialNumber\": \"111111111111111111111111\",\n \"signatureAlgorithm\": \"SHA384WITHRSA\",\n \"startDate\": \"2024-05-07 00:00:00\",\n \"subjectName\": \"CN=*.test.test\"\n },\n {\n \"dnsName\": [\n \n ],\n \"endDate\": \"2033-08-01 23:59:59\",\n \"issuerName\": \"C=TestC,ST=TestST,L=TestL,O=TestO,CN=TestCN RSA Certification Authority\",\n \"keyAlgorithm\": \"RSA\",\n \"keyLength\": 3072,\n \"serialNumber\": \"1111111111111111111111111111\",\n \"signatureAlgorithm\": \"SHA384WITHRSA\",\n \"startDate\": \"2023-08-02 00:00:00\",\n \"subjectName\": \"C=TestC,O=TestO,CN=TestCN RSA Domain Validation Secure Server CA 3\"\n }\n ]\n },\n \"final_location\": \"https://1.2.3.4/\",\n \"geo_ip_location\": \"Test\",\n \"country\": \"Test country\",\n \"grade\": \"BAD\",\n \"observed_ips\": [\n \"1.2.3.4:443\"\n ],\n \"remediations\": [\n {\n \"message\": \"Allows insecure protocol: TLSv1.0\",\n \"help_text\": \"TLS version 1.0 has been deprecated.\",\n \"remediation_tip\": \"Disable TLS 1.0. See our <a href=\\\"https://help.bitsight.com/hc/en-us/articles/9176707227031-TLS-SSL-Finding-Remediation-Remediation-Verification\\\">guide for remediating TLS/SSL Configuration findings</a>.\"\n },\n {\n \"message\": \"Allows insecure protocol: TLSv1.1\",\n \"help_text\": \"TLS version 1.1 has been deprecated.\",\n \"remediation_tip\": \"Disable TLS 1.1. See our <a href=\\\"https://help.bitsight.com/hc/en-us/articles/9176707227031-TLS-SSL-Finding-Remediation-Remediation-Verification\\\">guide on verifying TLS is disabled</a>.\"\n }\n ],\n \"sample_timestamp\": \"2024-06-29T00:49:11Z\",\n \"dest_port\": 443,\n \"rollup_end_date\": \"2024-06-29\",\n \"rollup_start_date\": \"2024-06-20\",\n \"searchable_details\": \"test details\"\n },\n \"evidence_key\": \"18.134.200.62:443\",\n \"first_seen\": \"2024-06-20\",\n \"last_seen\": \"2024-06-29\",\n \"related_findings\": [\n \n ],\n \"risk_category\": \"Diligence\",\n \"risk_vector\": \"ssl_configurations\",\n \"risk_vector_label\": \"SSL Configurations\",\n \"rolledup_observation_id\": \"122222222222222222\",\n \"severity\": 10.0,\n \"severity_category\": \"severe\",\n \"tags\": [\n \n ],\n \"remediation_history\": {\n \"last_requested_refresh_date\": null,\n \"last_refresh_status_date\": null,\n \"last_refresh_status_label\": null,\n \"last_refresh_reason_code\": null\n },\n \"asset_overrides\": [\n \n ],\n \"duration\": null,\n \"comments\": null,\n \"remaining_decay\": 57,\n \"remediated\": null,\n \"impacts_risk_vector_details\": \"AFFECTS_RATING\",\n \"company_uuid\": \"11111111111111111111111111111\",\n \"asset\": {\n \"asset\": \"1.2.3.4\",\n \"identifier\": null,\n \"category\": \"low\",\n \"importance\": 0.0,\n \"is_ip\": true,\n \"asset_type\": \"IP\"\n }\n}",
"event": {
"category": "vulnerability",
"end": "2024-06-29T00:00:00Z",
"start": "2024-06-20T00:00:00Z",
"type": "info"
},
"@timestamp": "2024-06-29T00:00:00Z",
"bitsight": {
"spm": {
"impacts_risk_vector_details": "AFFECTS_RATING",
"risk_category": "Diligence",
"risk_vector": "ssl_configurations",
"risk_vector_label": "SSL Configurations",
"severity": "10.0",
"severity_category": "severe",
"temporary_id": "11111111111111"
}
},
"host": {
"ip": [
"1.2.3.4"
]
},
"observer": {
"product": "Security Performance Management",
"vendor": "BitSight"
},
"organization": {
"id": "11111111111111111111111111111"
},
"related": {
"ip": [
"1.2.3.4"
]
}
}
{
"message": "{\n \"temporary_id\": \"11111111111111111111111111111111\",\n \"affects_rating\": true,\n \"details\": {\n \"cvss\": {\n \"base\": [\n \n ]\n },\n \"check_pass\": \"\",\n \"diligence_annotations\": {\n \"message\": \"Detected service: HTTPS\",\n \"CPE\": [\n \"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*\"\n ],\n \"Tags\": [\n \n ],\n \"Title\": \"Service\",\n \"transport\": \"tcp\",\n \"Status\": \"HTTP/1.1 200 OK\",\n \"Server\": \"Microsoft-HTTPAPI/2.0\"\n },\n \"final_location\": \"https://1.2.3.4:8086/\",\n \"geo_ip_location\": \"Test\",\n \"country\": \"TestCountry\",\n \"grade\": \"GOOD\",\n \"remediations\": [\n {\n \"message\": \"Detected service: HTTPS\",\n \"help_text\": \"This port was observed running Hypertext Transfer Protocol Secure (HTTPS), which is used for sending and receiving secure internet traffic.\",\n \"remediation_tip\": \"\"\n }\n ],\n \"sample_timestamp\": \"2024-06-29T11:52:03Z\",\n \"dest_port\": 8086,\n \"rollup_end_date\": \"2024-06-29\",\n \"rollup_start_date\": \"2023-05-13\",\n \"searchable_details\": \"Detected service: HTTPS,tcp\"\n },\n \"evidence_key\": \"1.2.3.4:8086\",\n \"first_seen\": \"2023-05-13\",\n \"last_seen\": \"2024-06-29\",\n \"related_findings\": [\n \n ],\n \"risk_category\": \"Diligence\",\n \"risk_vector\": \"open_ports\",\n \"risk_vector_label\": \"Open Ports\",\n \"rolledup_observation_id\": \"1123123123123123123\",\n \"severity\": 1.0,\n \"severity_category\": \"minor\",\n \"tags\": [\n \n ],\n \"remediation_history\": {\n \"last_requested_refresh_date\": null,\n \"last_refresh_status_date\": null,\n \"last_refresh_status_label\": null,\n \"last_refresh_reason_code\": null\n },\n \"asset_overrides\": [\n \n ],\n \"duration\": null,\n \"comments\": null,\n \"remaining_decay\": 57,\n \"remediated\": null,\n \"impacts_risk_vector_details\": \"AFFECTS_RATING\",\n \"company_uuid\": \"1111111111111111111111111\",\n \"asset\": {\n \"asset\": \"1.2.3.4\",\n \"identifier\": null,\n \"category\": \"low\",\n \"importance\": 0.0,\n \"is_ip\": true,\n \"asset_type\": \"IP\"\n }\n}",
"event": {
"category": "vulnerability",
"end": "2024-06-29T00:00:00Z",
"start": "2023-05-13T00:00:00Z",
"type": "info"
},
"@timestamp": "2024-06-29T00:00:00Z",
"bitsight": {
"spm": {
"impacts_risk_vector_details": "AFFECTS_RATING",
"risk_category": "Diligence",
"risk_vector": "open_ports",
"risk_vector_label": "Open Ports",
"severity": "1.0",
"severity_category": "minor",
"temporary_id": "11111111111111111111111111111111"
}
},
"host": {
"ip": [
"1.2.3.4"
]
},
"observer": {
"product": "Security Performance Management",
"vendor": "BitSight"
},
"organization": {
"id": "1111111111111111111111111"
},
"related": {
"ip": [
"1.2.3.4"
]
}
}
{
"message": "{\n \"temporary_id\": \"1111111111111111111111111111111111111111111111111111&\",\n \"affects_rating\": false,\n \"asset\": {\n \"asset\": \"1.2.3.4\",\n \"identifier\": null,\n \"category\": \"low\",\n \"importance\": 0,\n \"is_ip\": true,\n \"asset_type\": \"Domain\"\n },\n \"vulnerability\": {\n \"name\": \"CVE-2014-3566\",\n \"alias\": \"POODLE\",\n \"display_name\": \"POODLE\",\n \"description\": \"The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).\",\n \"remediation_tip\": \"Ensure all of your TLS/SSL libraries on the affected machines are up-to-date. Disable SSLv3 support on those servers, as described in <a target=\\\"new\\\" href=\\\"https://disablessl3.com/\\\">Disable SSLv3</a>.\",\n \"confidence\": \"HIGH\",\n \"cvss\": {\n \"base\": 3.4\n },\n \"severity\": \"Minor\"\n },\n \"company_uuid\": \"399e55d6-eab2-438d-84cd-fb0d0b967fcd\",\n \"details\": {\n \"cvss\": {\n \"base\": [\n 3.4\n ]\n },\n \"check_pass\": \"\",\n \"diligence_annotations\": {\n \"remediation_dates\": [\n {\n \"first\": \"2022-08-14 21:04:42\",\n \"last\": \"2022-08-14 21:04:42\"\n }\n ],\n \"is_remediated\": true\n },\n \"remediations\": [\n {\n \"message\": \"CVE-2014-3566 (POODLE)\",\n \"help_text\": \"The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).\",\n \"remediation_tip\": \"Ensure all of your TLS/SSL libraries on the affected machines are up-to-date. Disable SSLv3 support on those servers, as described in <a target=\\\"new\\\" href=\\\"https://disablessl3.com/\\\">Disable SSLv3</a>.\"\n }\n ],\n \"rollup_end_date\": \"2022-08-14\",\n \"rollup_start_date\": \"2022-08-14\",\n \"searchable_details\": \"CVE-2014-3566\"\n },\n \"evidence_key\": \"1.2.3.4:443\",\n \"first_seen\": \"2022-08-14\",\n \"last_seen\": \"2022-08-14\",\n \"related_findings\": [],\n \"risk_category\": \"Diligence\",\n \"risk_vector\": \"patching_cadence\",\n \"risk_vector_label\": \"Patching Cadence\",\n \"rolledup_observation_id\": \"ZxFoXXsV3gvZS0t0oTmxcA==\",\n \"severity\": 4.3,\n \"severity_category\": \"moderate\",\n \"tags\": [],\n \"remediation_history\": {\n \"last_requested_refresh_date\": null,\n \"last_refresh_status_date\": null,\n \"last_refresh_status_label\": null,\n \"last_refresh_reason_code\": null\n },\n \"asset_overrides\": [],\n \"duration\": \"1 day\",\n \"comments\": null,\n \"remaining_decay\": null,\n \"remediated\": true,\n \"impacts_risk_vector_details\": \"LIFETIME_EXPIRED\"\n}",
"event": {
"category": "vulnerability",
"end": "2022-08-14T00:00:00Z",
"start": "2022-08-14T00:00:00Z",
"type": "info"
},
"@timestamp": "2022-08-14T00:00:00Z",
"bitsight": {
"spm": {
"impacts_risk_vector_details": "LIFETIME_EXPIRED",
"remediated": true,
"risk_category": "Diligence",
"risk_vector": "patching_cadence",
"risk_vector_label": "Patching Cadence",
"severity": "4.3",
"severity_category": "moderate",
"temporary_id": "1111111111111111111111111111111111111111111111111111&",
"vulnerability_confidence": "HIGH"
}
},
"observer": {
"product": "Security Performance Management",
"vendor": "BitSight"
},
"organization": {
"id": "399e55d6-eab2-438d-84cd-fb0d0b967fcd"
},
"related": {
"hosts": [
"1.2.3.4"
]
},
"url": {
"domain": "1.2.3.4"
},
"vulnerability": {
"description": "The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).",
"id": "CVE-2014-3566",
"score": {
"base": 3.4
},
"severity": "Minor"
}
}
{
"message": "{\n \"temporary_id\": \"1111111111111111111111111111111111111111111111111111&\",\n \"affects_rating\": false,\n \"asset\": {\n \"asset\": \"1.2.3.4\",\n \"identifier\": null,\n \"category\": \"low\",\n \"importance\": 0,\n \"is_ip\": true,\n \"asset_type\": \"IP\"\n },\n \"vulnerability\": {\n \"name\": \"CVE-2014-3566\",\n \"alias\": \"POODLE\",\n \"display_name\": \"POODLE\",\n \"description\": \"The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).\",\n \"remediation_tip\": \"Ensure all of your TLS/SSL libraries on the affected machines are up-to-date. Disable SSLv3 support on those servers, as described in <a target=\\\"new\\\" href=\\\"https://disablessl3.com/\\\">Disable SSLv3</a>.\",\n \"confidence\": \"HIGH\",\n \"cvss\": {\n \"base\": 3.4\n },\n \"severity\": \"Minor\"\n },\n \"company_uuid\": \"399e55d6-eab2-438d-84cd-fb0d0b967fcd\",\n \"details\": {\n \"cvss\": {\n \"base\": [\n 3.4\n ]\n },\n \"check_pass\": \"\",\n \"diligence_annotations\": {\n \"remediation_dates\": [\n {\n \"first\": \"2022-08-14 21:04:42\",\n \"last\": \"2022-08-14 21:04:42\"\n }\n ],\n \"is_remediated\": true\n },\n \"remediations\": [\n {\n \"message\": \"CVE-2014-3566 (POODLE)\",\n \"help_text\": \"The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).\",\n \"remediation_tip\": \"Ensure all of your TLS/SSL libraries on the affected machines are up-to-date. Disable SSLv3 support on those servers, as described in <a target=\\\"new\\\" href=\\\"https://disablessl3.com/\\\">Disable SSLv3</a>.\"\n }\n ],\n \"rollup_end_date\": \"2022-08-14\",\n \"rollup_start_date\": \"2022-08-14\",\n \"searchable_details\": \"CVE-2014-3566\"\n },\n \"evidence_key\": \"1.2.3.4:443\",\n \"first_seen\": \"2022-08-14\",\n \"last_seen\": \"2022-08-14\",\n \"related_findings\": [],\n \"risk_category\": \"Diligence\",\n \"risk_vector\": \"patching_cadence\",\n \"risk_vector_label\": \"Patching Cadence\",\n \"rolledup_observation_id\": \"ZxFoXXsV3gvZS0t0oTmxcA==\",\n \"severity\": 4.3,\n \"severity_category\": \"moderate\",\n \"tags\": [],\n \"remediation_history\": {\n \"last_requested_refresh_date\": null,\n \"last_refresh_status_date\": null,\n \"last_refresh_status_label\": null,\n \"last_refresh_reason_code\": null\n },\n \"asset_overrides\": [],\n \"duration\": \"1 day\",\n \"comments\": null,\n \"remaining_decay\": null,\n \"remediated\": true,\n \"impacts_risk_vector_details\": \"LIFETIME_EXPIRED\"\n}",
"event": {
"category": "vulnerability",
"end": "2022-08-14T00:00:00Z",
"start": "2022-08-14T00:00:00Z",
"type": "info"
},
"@timestamp": "2022-08-14T00:00:00Z",
"bitsight": {
"spm": {
"impacts_risk_vector_details": "LIFETIME_EXPIRED",
"remediated": true,
"risk_category": "Diligence",
"risk_vector": "patching_cadence",
"risk_vector_label": "Patching Cadence",
"severity": "4.3",
"severity_category": "moderate",
"temporary_id": "1111111111111111111111111111111111111111111111111111&",
"vulnerability_confidence": "HIGH"
}
},
"host": {
"ip": [
"1.2.3.4"
]
},
"observer": {
"product": "Security Performance Management",
"vendor": "BitSight"
},
"organization": {
"id": "399e55d6-eab2-438d-84cd-fb0d0b967fcd"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"vulnerability": {
"description": "The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).",
"id": "CVE-2014-3566",
"score": {
"base": 3.4
},
"severity": "Minor"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
Name | Type | Description |
---|---|---|
@timestamp |
date |
Date/time when the event originated. |
bitsight.spm.impacts_risk_vector_details |
keyword |
The details of the risk vector. |
bitsight.spm.remediated |
boolean |
Whether the vulnerability has been remediated. |
bitsight.spm.risk_category |
keyword |
The category of the risk. |
bitsight.spm.risk_vector |
keyword |
The vector of the risk. |
bitsight.spm.risk_vector_label |
keyword |
The vector label of the risk. |
bitsight.spm.severity |
keyword |
The severity of the event. |
bitsight.spm.severity_category |
keyword |
The category of the severity. |
bitsight.spm.temporary_id |
keyword |
A temporary ID. |
bitsight.spm.vulnerability_confidence |
keyword |
The confidence score of the vulnerability. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.end |
date |
event.end contains the date when the event ended or when the activity was last observed. |
event.start |
date |
event.start contains the date when the event started or when the activity was first observed. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
host.ip |
ip |
Host ip addresses. |
observer.product |
keyword |
The product name of the observer. |
observer.vendor |
keyword |
Vendor name of the observer. |
organization.id |
keyword |
Unique identifier for the organization. |
url.domain |
keyword |
Domain of the url. |
vulnerability.description |
keyword |
Description of the vulnerability. |
vulnerability.id |
keyword |
ID of the vulnerability. |
vulnerability.score.base |
float |
Vulnerability Base score. |
vulnerability.severity |
keyword |
Severity of the vulnerability. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.